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Abstract 

We propose a generalisation of concurrent Kleene al- 
gebra Q that can take account of probabilistic effects 
in the presence of concurrency. The algebra is proved 
sound with respect to a model of automata modulo a 
variant of rooted 77-simulation equivalence. Applica- 
bility is demonstrated by algebraic treatments of two 
examples: algebraic may testing and Rabin's solution 
to the choice coordination problem. 

1 Introduction 

Kleene algebra generalises the language of regular ex- 
pressions and, as a basis for reasoning about programs 
and computing systems, it has been used in appli- 
cations ranging from compiler optimisation, program 
refinement, combinatorial optimisation and algorithm 
design 0, [E 0, IS OH- A number of variants of the 
original axiom system and language of Kleene alge- 
bra have extended its range of applicability to include 
probability [12j with the most recent being the intro- 
duction of a concurrency operator Q. Main benefits 
of the algebraic approach are that it captures some 
essential aspects of computing systems in a simple 
and concise way and that the calculational style of 
reasoning it supports is very suitable for automated 
theorem proving. 

In this paper we continue this line of work and 
propose weak concurrent Kleene algebra, which ex- 
tends the abstract probabilistic Kleene algebra [12| 
with the concurrency operator of concurrent Kleene 
algebra @ and thus supports reasoning about con- 
currency in a context of probabilistic effects. This 
extension calls for a careful evaluation of the axiom 
system so that it accurately accounts for the interac- 
tions of probabilistic choice, nondctcrministic choice 
and the treatment of concurrency. For example prob- 
abilistic Kleene algebra accounts for the presence of 
probability in the failure of the original distributive 
law x{y + z) — xy + xz which is also absent in most 
process algebras. That is because when the terms 
x, y, z are interpreted as probabilistic programs, with 
xy meaning "first execute x and then y" and + inter- 
preted as a nondeterministic choice, the expression on 
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the left hand side exhibits a greater range of nonde- 
terminism than the right in the case that x includes 
probabilistic behaviours. For example if x is inter- 
preted as a program which flips a bit with probabil- 
ity 1/2 then the following nondeterministic choice in 
y + z can always be resolved so that y is executed 
if and only if the bit was indeed flipped. This is 
not a behaviour amongst those described by xy + xz, 
where the nondeterminism is resolved before the bit 
is flipped and therefore its resolution is unavoidably 
independent of the flipping. Instead, in contexts such 
as these, distributivity be replaced by a weaker law: 

Sub-distributivity: xy + xz < x(y + z) . (1) 

Elsewhere @ we show that this weakening of the orig- 
inal axioms of Kleene algebra results in a complete 
system relative to a model of nondeterministic au- 
tomata modulo simulation equivalence. 

The behaviour of the concurrency operator of con- 
current Kleene algebra Q is captured in particular by 
the Interchange law: 

(x\\y)(u\\v) < (xu)\\(yv) 

which expresses that there is a lesser range of nonde- 
terministic executions on the left where, for example, 
the execution of u is constrained to follow a complete 
execution of x run concurrently with y but on the 
right it is not. 

Our first contribution is the construction of a 
concrete model of abstract probabilistic automata 
(where the probability is at the action level) over 
which to interpret terms composed of traditional 
Kleene algebra together with concurrent composition. 
In this interpretation, each term represents an au- 
tomaton. For example in Equation ([T}, x,y and z 
are automata and so is xy + xz. We show that the 
axiom system of concurrent Kleene algebra weakened 
to allow for the presence of probability is sound with 
respect to those probabilistic automata. Our use 
of probabilistic automata is similar to models where 
the resolution of probability and nondeterminism can 
be interleaved; concurrent composition of automata 
models CSP synchronisation [4j in that context. Fi- 
nally we use a notion of rooted ^-simulation to inter- 
pret the inequality < used in algebraic inequations. 

Our second contribution is to explore some ap- 
plications of our axiomatisation of weak concurrent 
Kleene algebra, to explain our definition of rooted r\- 
simulation in terms of may testing [14IJ , and to demon- 
strate the proof system on Rabin's distributed consen- 
sus protocol fl~5j |. 



One of the outcomes of this study is to expose the 
tensions between the various aspects of system execu- 
tion. Some of the original concurrent Kleene algebra 
axioms [5[ required for the concurrency operator now 
fail to be satisfiable in the presence of probabilistic 
effects and synchronisation supported by the inter- 
change law. For example, the term 1 from Kleene 
algebra (interpreted as "do nothing") can no longer 
be a neutral element for the concurrency operator || 
— we only have the specific equality 1||1 = 1 and not 
the more general l||x = x. In fact we chose to pre- 
serve the full interchange law in our choice of axioms 
because it captures so many notions of concurrency 
already including exact parallel and synchronisation, 
suggesting that it is a property about general concur- 
rent interactions. 

A feature of our approach is to concentrate on 
broad algebraic structures in order to understand how 
various behaviours interact rather than to study pre- 
cise quantitative behaviours. Thus we do not include 
an explicit probabilistic choice operator in the sig- 
nature of the algebra — probability occurs explicitly 
only in the concrete model as a special kind of asyn- 
chronous probabilistic action combined with internal 
events (events that the environment cannot access). 
This allows the specification of complex concurrent 
behaviour to be simplified using applications of weak 
distributivity embodied by Equation (TTJ) and/or the 
interchange law as illustrated by our case study. Fi- 
nally we note that the axiomatisation we give is en- 
tirely in terms of first-order expressions and there- 
fore is supported by first-order reasoning. Thus all of 
our algebraic proofs has been implemented within the 
Isabelle/HOL theorem proving environment. These 
proof can be found in a repository of formalised alge- 
braic theorems. Q 

In Section [5] we explore the axiomatisation of the 
new algebra. It is essentially a mixture of probabilis- 
tic and concurrent Kleene algebras. Sections [3] and 
H] are devoted to showing the consistency of our ap- 
proach. A concrete model based on automata and 
^-simulation is constructed. In section [5j we com- 
pare our approach with probabilistic automata (au- 
tomata that exhibit explicit probability) and prob- 
abilistic simulation. We conclude that, up to some 
constraint, the concrete model is a very special case 
of that more general model. In sections [5] and [JJ we 
present some applications, in particular an algebraic 
version of may testing is studied and variations of the 
specification of Rabin's protocol are explored. 

In this paper x, y, etc represent algebraic expres- 
sions or variables. Terms are denoted s, t, etc. Letters 
a, b, etc stand for actions and r represents an inter- 
nal action. An automaton associated with a term or 
an expression is usually denoted by the same letter. 
Other notation is introduced as we need it. 

In this extended abstract we can only explain the 
main properties of weak concurrent Kleene algebra 
and sketch the construction of the automaton model. 
Detailed constructions and proofs of all statements in 
this paper can be found in an appendix. 

2 Axiomatisation 

A Kleene algebra is a structure that encodes alge- 
braically the sequential behaviour of a system. It is 
generally presented in the form of an idempotent Q 
semiring structure (K, +, ■, 0, 1) where x ■ y (sequen- 
tial composition) is sometimes written using juxtapo- 
sition xy in expressions. The term is the neutral 

1 http : / /staff www . dcs . shef . ac . uk/people/G . Struth/ isa/ 
^Idcmpotencc refers to the operation + i.e. x + x — x. 



element of -I- and 1 is the neutral element of •. The 
semiring is then endowed with a unary Kleene star * 
representing finite iteration to form a Kleene algebra. 
This operator is restricted by the following axioms: 

Left unfold: 1 + xx* = x* , (2) 
Left induction: xy < y x*y < y, (3) 

where x < y if and only if x + y = y. In the sequel our 
interpretations will be over a version of probabilistic 
automata. In particular we will interpret < and = as 
?/-simulations. 

Often, the dual of (|2T3"j) i.e. 1 + x*x = x* and 
yx <y => yx* < y are also required. However, ([2]) 
and yj are sufficient here and the dual laws follow 
from continuity of sequential composition for finite 
automata. 

In a Kleene algebra, the semiring structure sup- 
ports two distributivity laws: 

Left distributivity: xy + xz = x{y + z),(4) 
Right distributivity: (x + y)z — xz + yz.(5) 

Equation ^ however is not valid in the presence 
of probability. For example, compare the behaviour 
of probabilistic choice in the diagrams below. Here, 
f lip p denotes the process that flips a p-biased coin, 
which we can represent by a probabilistic automaton 
(details are given in Section \S§. In the right diagram, 




the choice between a and b can be based on the out- 
come of the coin flip but such resolution is not possi- 
ble in the left-hand diagram. We express the greater 
range of possible outcomes by the general inequation 
(HJ, specifically here it becomes 

(fli Pp )y + (flip,)* < (f li Pp )(y + z). (6) 

As mentioned above, the zero of a Kleene algebra 
satisfies: 

Left annihilation: Ox ~ 0, (7) 
Right annihilation: xO — 0. (8) 

In our interpretation that includes concurrency, we 
assume that captures deadlock. However, axiom 
is no longer appropriate because we should be able to 
differentiate between the process doing an action and 
deadlocking from a process that is just deadlocked. 

Definition 1. A weak probabilistic Kleene algebra is 
a structure (K, +,-,*, 0, 1) that satisfies the axioms 
of Kleene algebra except there is no left distributivity 
(it is replaced by (QJjJ and Equation (0) does not hold 
generally. 

A concurrency operator was added to Kleene al- 
gebra by Hoare et al (5|. Our concurrency operator || 

3 We have abused notation in this example by using flip p to 
represent both an action and an automaton which performs that 
action. 



satisfies the following standard axioms: 



3 Concrete Model 



Associativity: x||(y||z) = (x||y)||z, (9) 
Commutativity: x\\y = y\\x, (10) 

One-idempotence: 1||1 = 1. (11) 

In (5|, || satisfies the identity l||x = x which we do 
not have here because in the concrete model, we will 
interpret || as the synchronisation operator found in 
CSP 4]. However, we still maintain the instance of 
that law in the special case x — 1 (see axiom (fTTj) ) 
where 1 is interpreted as "do nothing" . 

Next we have the axioms dealing the interaction 
of ||, + and •. 

Monotonicity : x||y + a;||z < x||(y + z) (12) 
Interchange-law: (x||y)(u||w) < {xu)\\{yv){12>) 

The interchange law is the most interesting ax- 
iom of concurrent Kleene algebra. In fact it allows 
the derivation of many properties involving ||. To il- 
lustrate this in the probabilistic context, consider a 
probabilistic vending machine VM which we describe 
as the expression 

VM = coin- flip • (r h ■ (tea + 1) + T t ■ (coffee + 1)) 

where coin, tea, coffee, 7%, r t and f lip p are all rep- 
resented by automata. That is the vending machine 
accepts a coin and then decides internally whether it 
will enable the button coffee or tea. The decision is 
determined by the action f lip p 0which (as explained 

later) enables either 77, or r t . The actions r t and Th 
are internal and the user cannot access them. Now, a 
user who wants to drink tea is specified as 

U = coin • (tea + 1). 

The system becomes U||VM where the concurrent op- 
eration is CSP like and synchronises on coin, tea and 
coffee. The interchange law together with the other 
axioms and some system assumptions imply the fol- 
lowing inequation: 

U||VM > coin • flipp-fa- (tea +l)+r t ) (14) 

which is proved automatically in our repository. In 
other words, the user will only be satisfied with prob- 
ability at least p since the right-hand side equation 
says that the tea action can only be enabled provided 
that Th is enabled, and in turn that is determined by 
the result of the f lip p action. 

Now we are ready to define our algebra. 

Definition 2. A weak concurrent Kleene algebra is a 
weak probabilistic Kleene algebra {K, +, *, 0, 1) with 
a concurrency operator \\ satisfying ifPl I 

We assume the operators precedence * < • < || < 

+. 

Proposition 3. Let s, t be terms, the following equa- 
tions holds in weak concurrent Kleene algebra. 

1. All the operators are monotonic. 

2. (s*\\t*)* = s*\\t*. 

3. (s\\t)* < s*\\t*. 

4. (s + ty = (s*t*y. 

4 i.c. the automaton that performs a flip p action. 



3.1 Semantic Space 

We use nondeterministic automata to construct a con- 
crete model. An automaton is denoted by a tuple 

(P,— M,F) 

where P is a set of states. The set — >C P x E x P is 
a transition relation and we write x — > y when there 
is a transition, labelled by a, from state x to state 
y. The alphabet E is left implicit and considered to 
be fixed for every automaton. The state i £ P is 
the initial state and F C P is the set of final states 
of the automaton. In the sequel, we will denote an 
automaton (P, — >,i,F) by its set of states P when 
no confusion is possible. 

The actions in the alphabet E are categorised into 
three kinds: 

• internal: actions that will be "ignored" by the 
simulation relation (as in and r*). Internal 
actions are never synchronised by 1 1 . 

• external: actions that can be synchronised. 
Probabilistic actions are external (as in f lip ) 
but they are never synchronised. 

• synchronised: external actions that will be syn- 
chronised when applying || (as in coin, tea and 
coffee). These actions are determined by a set 
of external actions A. More specifically, || refers 
to a|| which we assume is fixed and given before- 
hand. 

The special case of probabilistic choice is modelled 
by combining probabilistic and internal actions. That 
is a process that does a with probability p and does 
b with probability 1 — p is interpreted as the follow- 
ing automaton where f lip„ £ E represents the action 




a b 



of flipping a p-biased coin which produces head with 
probability p and tail with probability 1 — p. The in- 
ternal actions r t and are enabled according to the 
result of f lipp- Hence only one of 77, and r t will be en- 
abled just after the coin flip. Since Tt and are inter- 
nal actions, the choice is internal and based upon the 
outcome of f lip p . The important facts here are that 
the choice after f lip p is internal so could be based on 
the probabilistic outcome of f lip p and that the envi- 
ronment cannot interfere with that choice. These two 
behavioural characteristics are what we consider to be 
the most general features of probability in a concur- 
rent setting and they are those which we axiomatise 
and record in our concrete model. 

Next, we impose some conditions on the automata 
to ensure soundness. 

- reachability: every state of the automaton is 
reachable by following a finite path from the ini- 
tial state. 



- initiality: there is no transition that leads to the 
initial state. This means that a* corresponds to 
the automata associated to 1 + aa* rather than 
a self loop labeled by a G S. 

We denote by Aut the set of automata satisfy- 
ing these two conditions. The next step is to define 
the operators that act on Aut. We use the standard 
inductive construction found in [J, Qj], [!| and the di- 
agrams illustrating the constructions are given in the 
appendix. 

Deadlock: 

This is the automaton that has only one state, 
namely the initial state, and no transition at all. 
It is the tuple ({i},0,i,0). 

Skip: 1 

This is the automaton that has only one state i 
which is both initial and hnal. This automaton 
has no transition i.e. is denoted by ({?}, 0, i, {«})• 

Single action: 

The automata associated with a is i — o where 
i is the initial state and o is a final state. It is 
the tuple ({i, o}, {i — > o}, i, {o}). 

Addition: P + Q 

This automaton is obtained using the standard 
construction of identifying the initial states of P 
and Q. (This is possible due to the initiality 
property.) 

Multiplication: PQ (or P ■ Q) 

This automaton is constructed in the standard 
way of identifying copies of the initial state of Q 
with final states of P. 

Concurrency: Pa||Q 

This automaton is constructed as in CSP (4|. It 
is a sub-automaton of the Cartesian product of 
P and Q. The initial state is (ip,iQ) and final 
states are reachable elements of Fp x Fn. No- 
tice that the set A never contains probabilistic 
actions. Further explanation about a\\ is given 
below. 

Kleene star: P* 

This automaton is the result of repeating P al- 
lowing a successful termination after each (possi- 
bly empty) full execution of P. The initial state 
of P* is final and copies of the initial state of P 
are identified with the final states of P. 

All automata begin with an initial state and end 
in some final or deadlock state. Our main use of final 
states is in the construction of sequential composition 
and Kleene star. 

The concurrency operator ^|| synchronises transi- 
tions labeled by an action in A and interleaves the 
others (including internal transitions). As in CSP, a 
synchronised transition waits for a corresponding syn- 
chronisation action from the other argument of _a||. 



This is another reason we do not have 1 



The proof consists of checking that P + 
Q,PQ,P\\Q and P* satisfy the reachability and ini- 
tiality conditions whenever P and Q satisfy the same 
conditions. (See Proposition 1201 in the appendix). 

In the sequel, whenever we use an unframed con- 
currency operator ||, we mean that the frame A has 
been given and remains fixed. 

3.2 Equivalence 

The previous subsection has given us the objects and 
operators needed to construct our concrete model. 
Next we turn to the interpretation of equality for our 
concrete interpretation. 

Following the works found in [T|, 0, H3| , we again 
use a simulation-like relation to define valid equa- 
tions in the concrete model. More precisely, due to 
the presence of internal actions, we will use an rj- 
simulation as the basis for our equivalence. 

Before we give the definition of simulation, we need 
the following notation. Given the state x and y, we 
write x => y if there exists a path, possibly empty, 
from x to y such that it is labelled by internal actions 
only. This notation is also used in [17| with the same 
meaning. 

Definition 5. Let P, Q be automata, a relation S C 
P x Q (or S : P —> Q) is called -q- simulation if 

- {ip,icj) 6 S, 

- if [x, y) G S and x — x' then 

a) if a is internal then there exits y' such that 
y => y' and (x 1 , y') G S, 

b) if a is external then there exists y\ and y' in 
Q such that y =>• y\ y' and (x,yx) G S 
and (x' , y') G S. 

- if (x, y) G S and x G Fp then y G Fq. 

A simulation S is rooted if (ip,y) G S implies y = 
iQ . If there is a rooted simulation from P to Q then 
we say that P is simulated by Q and we write P < Q. 
Two processes P and Q are simulation equivalent 
if P < Q and Q < P ' , and we write P = Q. In the 
sequel, rooted any rj- simulation will be referred simply 
as a simulation. 

Relations satisfying Definition [5] are also r\- 
simulation in the sense of [171 ] where property (a) is 
replaced by: 



if a is internal then (x',y) G S. 



(15) 



The identity relation (drawn as dotted arrow) in the 
following diagram is a simulation relation satisfying 
Definition [5j but it is not a simulation in the sense 
of [l2|. We need the identity relation to be a simu- 



P = P 



because if P 
then 



ip 



and ip is not a final state, 




1 {o} ||P = ({(Mp)},0,(Mp),0) = O. 

Proposition 4. These operations of weak concur- 
rent Kleene algebra are well defined on Aut that is 
if P,Q G Aut then P + Q,PQ,P A \\Q and P* are 
elements o/Aut. 



lation here because in our proof of soundness, more 
complex simulations are constructed from identity re- 
lations. 

Proposition 6. The following statements hold. 



1. The relational composition of two rooted r\- 
simulations is again a rooted r\- simulation. That 
is, if S, T are rooted n- simulations then S o T is 
also a rooted 77- simulation, where o denotes rela- 
tional composition. 

2. The simulation relation < is a preorder on Aut . 

Proposition [5] is proven in Proposition of the 
appendix. 

Therefore, = as determined by Definition [5] is an 
equivalence. In fact, we prove in the following propo- 
sition that it is a congruence with respect to +. 

Proposition 7. The equivalence relation = is a con- 
gruence with respect to + and P < Q iff P + Q = Q, 

The proof adapts and extends the one found in [i~7l ] 
and the specialised version for our case is Proposition 
[22] in the appendix. 

It is well documented that 77-simulation is not a 
congruence without the rootedness condition [T3|. A 
typical example is given by the expressions ra+rb and 
t(cl + b). The automata associated to these expres- 
sions are equivalent under non-rooted 77-simulation. 

The manipulation of probabilistic actions is also 
an important facet of our model. We assume that 
probabilistic actions are not synchronised and in that 
respect they are similar to internal actions. However 
probabilistic actions cannot be treated as internal as 
the following examples illustrates. Consider the ac- 
tion flip-j/2 which flips a fair coin. If flip is an 
internal action then the inequality 

( f li Pi/ 2 )(™ + rb ) < ( f li ?l/2) ra + ( fl± Vl/2) Tb 

would be valid when interpreted in the concrete 
model. In other words, we would have the following 
simulation: 




. . . ■ 



a b a b 
■ ■ ■ ■ P~ v~ 



But this relationship (which implies distributivity 
of f lipp through +) does not respect the desired be- 
haviour of probability which, as we explained earlier, 
satisfies only a weaker form of distributivity. Whence, 
we assume that probabilistic actions such as fl±p 1 ^ 2 
are among the external actions which will never be 
synchronised. 

4 Soundness 

In this section, we prove that the set Aut end owed 
with the operators defined in Subsection 13.11 mod- 
ulo rooted 77-simulation equivalence (Subsection I3.2j) 
forms a weak concurrent Kleene algebra. 

The first part is to prove that Aut is a weak prob- 
abilistic Kleene algebra. 

Proposition 8. (Aut, +,-,*, 0, 1) is a weak proba- 
bilistic Kleene algebra. 



The proof consists of detailed verifications of the 
axioms for weak probabilistic Kleene algebra (see 
Proposition 1231 in the appendix). 

The second part con sists of proving that |j satis- 
fies the equations (f51 [T3"|) . Associativity depends heav- 
ily on the fact that both concurrent compositions in- 
volved in a; || y|| 2; have the same frame set. For in- 
stance, let S = {a, 6, c}. The identities 

( a {a}l|fr){ c }l|a = abO + baO 

and 

a {a}ll( & {c}ll«) = ab + ba 

are valid in the concrete model. Hence, the first pro- 
cess will always go into a deadlock state though the 
second one will always terminate successfully. There- 
fore, to have associativity, the concurrency operator 
must have a fixed frame. 

Proposition 9. (Aut, +, -,a\\, 1) satisfies equations 
(0- \13\) modulo rooted n-simulation equivalence for 
any set of synchronisable actions A C T, (i.e. no 
probabilistic actions). 

Associativity is mainly a consequence of the fact 
that there is only one frame for ||. The other a xiom s 
need to be checked thoroughly (see Proposition [MJ) . 

Our soundness result directly follows from these 
two propositions. 

Theorem 10. (Aut, + , -,^1 , *, 0, 1) is a weak con- 
current Kleene algebra for any set of synchronisable 
actions ACS. 

In this theorem, the frame A is fixed beforehand. 
In other words, a model of weak concurrent Kleene al- 
gebra is constructed for each possible choice of A. In 
particular, if A is empty then the concurrency opera- 
tor is interleaving all actions i.e. no actions are syn- 
chronised. This particular model satisfies the identity 
lgllsc = x of the original concurrent Kleene algebra 
found in [5j]. 

The sequential and concurrent composition actu- 
ally have stronger properties in the concrete model. 
If we consider finite automata only — automata with 
finitely many states and transitions — then we show 
that these two operators are conditionally Scott con- 
tinuous in the sense of (see Proposition [231 and |2"T1 
in the appendix). 

5 Relationship to Probabilistic Processes 

Firstly, it is shown in [11IJ that a probabilistic choice 
a p © b simulates the nondeterministic choice a + b. A 
similar result also holds in our setting. In the ab- 
sence of internal transitions, simulation has been also 
defined elsewhere [J, [D], [9| which we will refer to as 
strong simulation. Recall that (f lip )a+ (flip )6 < 
(flip ) (a + b) is a general property of probabilistic 
Kleene algebra so it is valid under strong simula- 
tion equivalence [If, 0] . Due to the absence of internal 
actions, the middle part of the diagram of Figure [T] 
does not exist with respect to strong simulation equiv- 
alence. 

In the context of Definition the right-hand sim- 
ulation of Figure [T] is the refinement of probabilis- 
tic choice by nondeterminism. This example gives 
an explicit distinction between (flip ) (a + b) and 

(f lip p )ot + (f lip )b by considering the fact that the 
choice in (flip p )(a + b) can depend on the proba- 
bilistic outcome of (flip ), but this is not the case 
for (f lip p )o + (f li Pj >. 




Figure 1: Refinements between probabilistic choice and nondeterminism. 



Secondly, we discuss about the relationship be- 
tween our concrete model and probabilisitic au- 
tomata. Remind that our interpretation of proba- 
bility lies in the use of actions that implicitly contain 
probabilistic information. In its most general form, 
a probabilistic choice between n possibilities can be 
written as 

flip pi )J)n • (n • ai + . . . + r„ • a„) 

where ^2 i p% = 1- In this algebraic expression, we 
implicitly ensure that each guard Tj is enabled with 
a corresponding probability pi. Therefore, if these 
Ti's are not found directly after the execution of the 
probabilistic action then matching them with the cor- 
responding pi becomes a difficult task. We call p- 
automaton0 a transition system as per the definition 
of Subsection 13.11 such that if a probabilistic action 
has associated r transitions then all of them follow 
that action directly. 

Another complication also arises from the use of 
these Ti's. Consider the following two processes 

fli P P i,P2 ■(r 1 -a + T 2 -b) 

and 

fli P P i,P2 ■(n-b + T 2 -a) 

where p\ +P2 = 1- We can construct a (bi) simulation 
relation between the corresponding automata though 
the probabilities of doing an a are different. Hence we 
need to modify the definition of 77-simulation (Defini- 
tion [5]) to account for these particular structure. 

Definition 11. A p- simulation S between two p- 
automata P,Q is a n- simulation such that if 

fiip P1 ,...,p„ n 

- x — T' " x' — x'l is a transition in P , 

- y pi^ 'Pn yi yU j fi a i rans m on j n q ; 

- and (x, y) G S 

then {x'l, y'l) G S, for each i = 1, . . . , n. 

This definition ensures that the probability of do- 
ing a certain action from y is greater than doing 
that action from x. With similar proofs as in the 
previous Sections, we can show that the set of p- 
automata modulo p-simulation forms again a weak 
concurrent Kleene algebra. We denote p-Aut the set 
of p-automata modulo p-simulation. 

We will now show that this definition is a very 
special case of probabilistic simulation on probabilis- 
tic automata. To simplify the comparison, we assume 
that r transitions occur only as part of these proba- 
bilistic choices in p-automata. 

5 The name p-automata describes probabilistic automata and as 
we will see later on, there is a relationship between the two of them. 



Definition 12. A probabilistic automaton is defined 
as a tuple (P, — s>, A, F) where P is a set of states, 
— > is a set of labelled transitions from state to dis- 
tributions^ of states i.e. — >-C FxSx VP, A is the 
initial distribution and F C P is a set of final states. 

The notion of simulation also exists for probabilis- 
tic automata Hi and, in particular, simulation and 
failure simulation is discussed in Q where they are 
proven to be equivalent to may and must testing re- 
spectively. 

To give a proper definition of probabilistic simula- 
tion, we need the follo wing notations which are bor- 
rowed from [3| and [lTj . Given a relation R C P x VQ, 

the lifting of R is a relation R C VP x VQ such that 

<l>Ri(> iff: 

- 4> = T,xP^x,U 

- for each x G supp(</>) (the support of <fi) there 
exists ip x G VQ such that xRip x , 

- i> = Y^xP^x- 

Similarly, the lifting of a transition relation is 
denote — —> whose reflexive transitive closure is denote 
=>. For each external action a, we write ==> for the 
sequence ==>— 

Definition 13. A probabilistic simulation S between 
two probabilistic automata P and Q is a relation S C 
R x VQ such that: 

- (A P ,A Q )eS, 

- if (x, tp) G S and x — % <j> then there exists tp' G 
VQ such that tp ip' and ((f), tp') G S (for every 

- if x G Fp and (x, ip) G S then supp("0) C Fq. 

we denote by ProbAut the set of probabilistic 
automata modulo simulation equivalence. 

We can now construct a mapping e : p-Aut — > 
ProbAut such that each instance of structure sim- 
ilar to flip _ • (n • ai + . . . + r n ■ a n ) is col- 
lapsed into probabilistic transitions. More precisely, 
let P G p-Aut and — > be its transition relation. The 
automaton e(P) has the same state space as P (up to 
accessibility with respect to the transitions of e(P)). 
The initial distribution of e(P) is Si p and the set of 
final states of e(P) is Fp again . 

6 Wc assume that all distributions arc finitely supported. 

7 Wc denote by 5 X the point distribution concentrated on x. 

8 Notice that by assuming the structure f lip pi pn ■ [t\ ■ a\ + 
. . . + r n ■ a n , the state between the flip action the corresponding 
r transitions is never a final state. Hence we are safe to use Fp as 
the final state of e(P) 



The set of transitions — *e(P) is constructed as 

follow. Let x — > x' be a transition of P, there are 
two possible cases: 

a) if a is probabilistic i.e. of the form f lip pi Pn 
and is followed by the r<'s, then the transition 

x piS^ + . . . + p n S X ' n 

is in — ^e(p) where x' —^4 x[ is a transition in P. 

b) else the transition x — —> x' is in — ^e(P)- 

We now prove that e is a monotonic function from 
p-Aut to ProbAut. 

Proposition 14. If P < Q then e(P) < e(Q). 

Proof. Assume that S is a p-simulation from P to 
Q. Consider the exact same relation but restricted to 
the state space of e(P) and e(Q). We show that this 
restriction is a probabilistic simulation. 

- Obviously, (Si P ,6i Q ) £ S. 

- Let x cf> and (x, 4>) £ S. Since r transitions 
only occur as part of probabilistic choices, we 
have two possibilities: 

— x — — >• p\8 x i + . . . + p n o~ X ' n is a transition of 
e(P) and (x,ip) £ 5 where -0 = <V Since 
(x, j/) belongs to the original S. In this case, 
y — Pi^j + • • • + PnS y ' n is a transition of 
e(Q) and each (x-, y-) belongs to the original 
5 (Definition of p-simulation) . 

— x —^7- x' and a is an external action. There- 
fore there are two possibilities again, y — 

yi — > y' or y — — > y' . In both cases, we 
have (x',y') £ S. 

- Conservation of final states follows easily from 
the fact that 5* is a p-simulation. □ 

Since our Definition (|13l) implies the definition of 
probabilistic simulation in J3| , we conclude that max- 
imal probability of doing a particular action in p- 
automata is increased by p-simulation. This remark 
provides a formal just ifica tion of our earlier exam- 
ple. That is, Equation (|14p ensures that the maximal 
probability that a buyer will be satisfied when using 
the probabilistic vending machine is at least 1/2 be- 
cause the maximal probability of a trace containing 
tea in the automata described by 

coin • flip • (r/j • (tea + 1) + r t 

is 1/2. 

In the proof of proposition 1 141 the simulation con- 
structed is a very particular case of probabilistic sim- 
ulation so it is too weak to establish certain rela- 
tionships between p-automata. For instance, the au- 
tomaton represented by a p © (a g © b) should be equiv- 
alent to a p + 9 - PQ ® 6 but Definition 1 1 II will not provide 
such equality. This line of research is part of our fu- 
ture work where we will study proper probabilistic 
automata and simulations against weak concurrent 
Kleene algebra. 



6 Algebraic Testing 

In this section, we describe an algebraic treatment of 
testing. Testing is a nat ural ordering for processes 
that was studied first in [14]]. The idea is to "mea- 
sure" the behaviour of the process with respect to the 
environment. In other words, given two processes x 
and y and a set of test processes T, the goal is to 
compare the processes x\\t and y\\t for every t 6 T. 
In our case, the set T will contain all processes. 

We consider a function o from the set of terms to 
the set of internal expressions I — {x \ x < 1}. The 
function o : Ts — > I is defined by 

o(x) = x if x £ I o(st) = o(s)o(t) 

o(a) = t for any a £S-J °( s *) = 1 

o(s +t) = o(s) + o(t) o(s\\t) < o(s)o(t) 

In the model, the function o is interpreted by sub- 
stituting each external action with the internal action 
t (o(a) = t for any a G £ — /). Then any final state 
is labelled by 1 and deadlock states are labelled by 0. 
Inductively, we label a state that leads to some final 
state by 1, else it is labelled by 0. This is motivated 
by the fact that xO = for any x £ I so each transi- 
tion leading to deadlock states only will be removed. 
Therefore, only states labelled by 1 will remain and 
the transitions between them. Hence, o(s) ^ iff 
the resulting automaton contains at least one state 
labelled by 1. In other words, o(s) = iff x must not 
terminate successfully. 

Without loss of generality (by considering au- 
tomata modulo simulation), we assume that r is the 
only internal action in E and it satisfies tt = r. This 
equation is valid in the concrete model. 

The existence of a well-defined function o satis- 
fying these conditions depends on our definition of 
simulation. That is, we can show that if P < Q then 
o(P) < o(Q) where we have abused notation by writ- 
ing o(P) as the application of o on the term associated 
to P. A detailed discussion about this can be found 
in the appendix under Remark 1281 

Definition 15. The may testing order is given by 
xQ^y iff VteT i: .[o(y\\t) = 0^o(x\\t)=0].n 

We now provide some results about algebraic may 
testing. It follows from monotonicity of || with respect 
to < (Proposition [3]) that may ordering IZ majr is weaker 
than the rooted 77-simulation order. 

Proposition 16. x < y implies x C y. 

— <J i — may <3 

In fact, C may is too weak compared to <: may test- 
ing is equivalent to language equivalence. Given a 
term s, the language Tr(s) of s is the set of finite 
words formed by external actions and are accepted by 
the automata represented by s. In other word, it is 
the set of finite traces in the sense of CSP which lead 
to final states. The precise definition of this language 
equivalence can be found in the appendix and s o is 
the proof of the following proposition (Proposition [29] 
of the appendix). 

Proposition 17. In Aut, C reduces to language 
equivalence. 

9 Noticc || should be framed because some external actions are 
not synchronised. But in the setting of testing, we can also assume 
that all external actions are synchronised which permits to follow 
up all external actions present in the process. 



We have shown that C is equivalent to language 
equivalence and hence it is weaker than our simulation 
order. This is also a consequence of the fact that 
our study of may testing is done in a qualitative way 
because the probabilities are found implicitly within 
actions. A quantitative study of probabilistic testing 
orders can be found in Q. 

7 Case Study: Rabin's Choice Coordination 

The problem of choice coordination is well known in 
the area of distributed systems. It usually appears in 
the form of processes voting for a common goal among 
some possibilities. Rabin has proposed a probabilistic 
protocol which solves the proble m 1151 and a sequen- 
tial specification can be found in [111] , 

We specify the protocol in our algebra and prove 
that a fully concurrent specification is equivalent to 
a sequential one. Once this has been done, the full 
verification can proceed by reusing the techniques for 
sequential reasoning 

The protocol consists of a set of tourists and two 
places: a church C and a museum M. Each tourist 
has a notepad where he keeps track of an integer k. 
Each place has a board where tourists can read and 
write. We denote by L (resp. R) the value on the 
church board (resp. museum board). 

In this section, we use ■ again for the sequential 
composition to make the specifications clearer. 

• The church is specified as C = (c\L)* ■ (c?L) 
where the channel c represents the church's door. 
c\L means that the value of L is available to be 
read in the channel c and c!L waits for an input 
which is used as value for L in the subsequent 
process. 

In other words, each tourist can read as many 
times as they want from the church board but 
write on it only once. Repeated writing will be 
considered in the specification of the protocol. 

Similarly, the museum is specified as M — 
(m\R)* ■ (m?R). 

• Each tourist is specified as P(a, k) where a S 
{c, m} is the door before which the tourist cur- 
rently stands and k is the actual value written 
on his notepad. A detailed description of P can 
be found in the appendix but roughly, we have 

P(a, k) = (a?K) ■ rabin • [a := a] □ 

where c = m and m = c. In other words, the 
tourist reads the value on the place specified by 
a, executes Rabin's protocol rabin and then goes 
to the other place. Notice that the process rabin 
contains the probabilistic component of Rabin's 
protocol. Essentially, it describes the rules that 
are used by each tourist to update their actual 
value for k with respect to the value on the board 
and vice versa. 

The whole specification of the protocol executed 
by each tourist is described by the automata of 
Figure 



We are ready to specify the whole system. Assume 
we have two tourists P and Q (our result generalises 

10 Any action written within square brackets will denote internal 
action (sec appendix for the detailed specification). 



easily to n tourists). The tourists' joint action is spec- 
ified as (P + Q)* ■ This ensures that when a tourist 
has started his turn by reading the board, he will 
not be interrupted by any other tourist until he is 
done and goes inside the current place or to the other 
place. This condition is crucial for the protocol to 
work properly. 

The actions of the locations process are specified 
by (M + C)* which ensures that each tourist can be 
at one place at a time only — this is a physical con- 
straint. Now, the whole system is specified by 

init • ([P(a, u) + Q(P, v)]* {c , m} \\ (M + C)*) (16) 

where init is the initialisation of the values on 
the boa rds , notepads and initial locations. Speci- 
fication 1161 describes the most arbitrary behaviour 
of the tourists compatible with visiting and inter- 
acting with the locations in the manner described 
above. Rabin's design of the protocol means that 
this behaviour is equivalent to a serialised execution 
where first one location is visited, followed by the 
other. We can write that behaviour behaviour as 
[{{P + Q)\\M)*((P + Q)\\C)*]*, where (for this sec- 
tion only) we denote the concurrency operator by || 
instead of { Ci , n }| to make the notation lighter. The 
next theorem says that this more uniform execution 
is included in S = [P{a,u) + Q(/3,v)]*\\(M + C)*, 
described by Specification [T6l 

Theorem 18. We have 

S > [((P + Q)\\M)*((P + Q)\\C)*]* 

The proof is a simple application of Proposition 
[3] Theorem [TS] means S could execute all possible 
actions related to door M, and then those at door C, 
and then back to door M and so one. In fact, we 
can also prove the converse i.e. Proposition [TH] could 
be strengthen to equality. But for that, we need the 
continuity of the operators ■ and ||. 

Theorem 19. In the concrete model, the specification 
of Rabin's protocol satisfies 

S=[((P + Q)\\My((P + Q)\\C)r 

The proof of this theorem depends heavily on the 
fact that the concurrent and sequential compositions 
are continuous in the the concrete model. The com- 
plete proof can be found in the appendix. 

In the proof, if we stopped at the distribution over 
||, we obtain the equivalent specification 

S = [(P + Q)\\M + (P + Q)\\C]* 

which describes a simpler situation where P or Q in- 
teracts at the Museum or at the Church. This is 
similar to the sequential version found in [lllj . which 
can be treated by standard probabilistic invariants to 
complete a full probabilistic analysis of the protocol. 

8 Conclusion 

An algebraic account of probabilistic and concurrent 
system has been presented in this paper. The idea 
was to combine probabilistic and concurrent Kleene 
algebra. A soundness result with respect to automata 
and rooted 77-simulation has been provided. The con- 
crete model ensures not only the consistency of the 
axioms but provides also a semantic space for systems 
exhibiting probabilistic, nondeterministic and concur- 
rent behaviour. We also showed that the model has 
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Figure 2: p-automaton that describes the protocol P(a, k) executed by each tourist. 



stronger properties than just the algebraic axiomati- 
sation. For instance, sequential and concurrent com- 
positions are both continuous in the case of finite au- 
tomata. 

We provided some applications of the framework. 
An algebraic account of may testing has been dis- 
cussed in Section [5] It was shown that may ordering 
reduces to language equivalence. 

We also provided a case study of Rabin's solu- 
tion to the choice coordination problem. A concur- 
rent specification was provided and it was shown to 
be stru cturally equivalent to the sequential one given 

in na. 

Though the algebra was proven to be powerful 
enough to derive non-trivial properties for concrete 
protocols, the concrete model still needs to be refined. 
For instance, the inclusion of tests is important es- 
pecially for the construction of probabilistic choices. 
Tests need to be introduced carefully because their 
algebraic characterisation are subtle due to presence 
of probability. We also need to improve and refine the 
manipulation of quantitative properties in the model 
as part of our future work. 

Finally, it is customary to motivate automated 
support for algebraic approaches. The axioms sys- 
tem for weak concurrent Kleene algebra is entirely 
first-order, therefore proof automation is supported 
and automatised version of our algebraic proofs can 
be found in our repository. 
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Appendix 

The following proofs, diagrams, remarks and other 
results are only included to add further clarification 
of the contents of the present paper. It is left to the 
discression of the reviewers to choose whether they 
will read these proofs or not. 

A Diagrams, Theorems and Proofs 

Diagram of the Operators: The construction are 
done inductively from 0, 1 and elements of the alpha- 
bet E. 

- Deadlock: 0. 

This is the automaton that has only one state, 
no transition and no final state. 

- Skip: 1 

This is the automaton o which has only one state 
which is both initial and final and has no transi- 
tion. 

- Single action: 

The automaton associated to a G E is i — °+ o 
where i is the initial state and o is a final state. 

- Addition: P + Q. 

This is constructed by identifying the initial 
states of P and Q. This construction is allowed 
because of the initiality condition (Figure [3]). 

- Multiplication: PQ. 

This is constructed by identifying each final state 
of P with the initial state of Q (Figure 0]). 

- Concurrency: Pa||Q 

This is constructed as a sub-automaton of the 
Cartesian product of P and Q following CSP [4]. 
Assuming a € A and b,d A, the concurrent 
composition Pa||Q is inductively constructed as 
in Figure [5] 

Notice that A C E is a set of synchronised action 
and does not contain any (strictly) probabilistic 
actions such as f lip(p), for p G]0, 1[. 

- Kleene star: P* 

This is the result of repeating P allowing a suc- 
cessful termination after each (possibly empty) 
full execution of P. In the diagram of Figure 
[6l we just picture one transition from the initial 
state and one final state. The construction needs 
to be performedfor each initial transition and fi- 
nal state. Notice the initial state of P* is a final 
state too. 

Proposition 20. These operations are well defined 
on Aut that is if P,Q G Aut then P + Q, PQ, Pa\\Q 
and P* are elements of Aut. 

Proof. The proof is by induction on the structure of 
the automata P and Q. For the base case, it is obvi- 
ous that 0, 1 and i — —¥ o satisfy the reachability and 
initiality conditions. 

Let P, Q G Aut. It is easy to see from the dia- 
grams that P + Q, P\\Q and P* belongs to Aut too. 
PQ satisfies the initiality condition because the ini- 
tial state is ip. For reachability, let x G Q. Then x is 
reachable from iq which in turn is reachable from ip 
by the definition of sequential composition. □ 

Proposition 21. The following statements hold. 



1. The relational composition of two rooted 7]- 
simulations is again a rooted rj- simulation. That 
is, if S, T are rooted r\- simulations then S oT is 
also a rooted rj- simulation, where o denotes rela- 
tional composition. 

2. The simulation relation < is a preorder on Aut . 

Proof. 1. Let S : P -> Q and T : Q -+ R be sim- 
ulations and let us show that ST : P — > R is a 
simulation. 

- Evidently, (i, i) G ST. 

- Let (x, z) G ST and x — x' . By definition 
of the relational composition there exists 
y G Q such that {x, y) G S and (y, z) G T. 

a) if a is internal, there exists y' G Q such 
that y => y' and (x',y r ) G S. Since 
y => y' consists of a sequence of finite 
internal transition, there exists z' G T 
such that (y',z') G T and z => z'. 
Hence (x', z') G ST and z =>- z' . 

b) If a is external, there exists y\,y' G Q 
such that y =>• j/i — y' and (x, y\) G S 
and {x',y') G S. Since (y,z) G T and 
y => yi, there exists Z\ £ R such that 
(yi,zx) G T and z =>- Z\. Again, since 

T is a simulation and y\ — y' , there 

exists Z2,z' G R such that z\ =4> z 2 

z' and (yi,z 2 ) G T and (y',z') G T. 

Hence, by transitivity of =>, we have 

z => Z2 — — > z' and (x, z%) G ST and 
(x',z')EST. 

- Let (x,z) G ST and x G Fp, there exists 
y G Q such that (x, y) G S and (y,z) G T. 
So y G Fq and hence z G Fp. 

- Let (i, z) G ST, there exists y G Q such 
that (i, y) G S and (y, z) G T . So y — i and 
hence z — i. 

2. For reflexivity, the identity relation is a rooted 
^-simulation and transitivity follows from 1. 

□ 

Proposition 22. The equivalence relation = is a 
congruence with respect to + and P < Q iff P + Q = 

Q. 

Proof. Let S : P -+ Q and S' : P' -> Q' be routed 
^-simulations. We show that SUS' : P + P' -> Q + Q 1 
is again a routed ^-simulation. 

- Since initial states are identified in the construc- 
tion of +, we have (ip+p> ,iq+q>) = («p,«q) G 
S US'. 

- Let (x, y) G S U S' and x — — » x' be a transition 
of P (the case where this transition belongs to 
P' is dealt with the exact same way). We have 
two cases: 

1. if (x,y) G S, then either a is internal and 
hence (x' , y) G S (so in S U S 1 too) or there 

exists 2/1,2/' G Q such that y =£- y\ y' is 
a path in Q and (x, yi) G S and (x', 2/') G S. 
By definition of +, y =>• j/i — > 2/' i s again a 
path in Q + Q' such that (x, yi) G SUS' 
and (x',2/') G SUS'. 



ip + i Q = P{ -e- 2 - ip+Q — ^->- Q 2 




P{ P2 Ql *?2 ^2 Qi 

Figure 3: Automaton for P + Q. 




Figure 4: Automaton for PQ. The symbol o denotes a final state and the symbol • is final if and only if iq is 
final in Q. Notice that this construction is done for each final state of P. 



ip a\\ iQ = (ip,iQ) 




Pi Pi Q'i Q' 2 PiAQi PUWQ PA\Q' 2 

Figure 5: Automaton for Pa\\Q- The action a has been synchronised and b, d were interleaved. Notice that b or 
d could be internal. The initial state of the automata is the pair (ip,io) and the final states are the elements 
of F p xFq. 



b 

[ip^-^P 1 — t^o)* = o^-^P'^~ 

a 

Figure 6: Automaton for P*. 
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2. if (x, y) £ S' , then x = ip because a; — x' 
is assumed to be a transition in P. Since the 
initial states are merged, (i p',y) £ S' and 
therefore y = iq> = iq+q> = iq. Therefore 
{x,y) E S and we are back to Case 1. 

- Let (x, y) £ S U S' and x e F P (the case x E Fp> 
is similar). We have two cases again, (x,y) E S 
and y E F P >. Or (x, y) E S' and then x E POP'. 
Hence x = i and we are back to the first case 
again. 

- SUS' is rooted because S and S' are both rooted. 

Now assume P < Q. Then P + Q<Q + Q = Q 
follows from the fact that < is a congruence and the 
idcmpotcncc of + in Proposition [HI Moreover, since 
idq : Q — > Q is a simulation, we have P + Q = Q. 
Conversely, assume P + Q = Q, since id P : P — > 
P + Q is a simulation we have P < Q by transitivity 
of<. □ 

Proposition 23. (Aut, +,-,*, 0, 1) is a weak proba- 
bilistic Kleene algebra. 

Proof. Associativity and commutativity of + and + 
x = x follows easily from the fact that + is base on 
U. 

• Idempotence of +: since the union is made dis- 
joint, we assume P c is a copy of P where every 
states is indexed by c. Then idp : P — > P + P c 
is a simulation and {(y,x) \ y — x or y = x c } is 
a simulation from P + P c to P. 

• Associativity of •: associativity follows from the 
same proof found in [!| because identity rela- 
tions are simulation and our multiplication here 
is exactly the e-free version of the multiplication 
there. 

• 1 is neutral for •: it follows easily from the con- 
struction that IP = P and PI = P. 

• Subdistributivity |3J to show that PQ + PR < 
P{Q+R), it suffices to show that PR < P(Q+R) 
and derive the result from idcmpotcncc of +. Re- 
mind that idp and idQ are simulation so it suf- 
fices to show that idp U idQ : PQ — >• P(Q + R) 
is again a simulation. Obviously, (i, i) € S and 
it is rooted and conserves final states. Moreover 
— >p(Q+n,)^ — >pq- Hence idp U idQ is a simu- 
lation. 

• Right distributivity [5] let P c be a disjoint copy 
of P, then the relation 

s = {( x ,y) I v = x or y = x c} 

from (Q + R)P to QP C + RP is rooted and pre- 
serves final states. Let (x, y) E S and x — ^4 
x' E — >(q+r)p- Remind that 

— >{Q+R)P= — >Q U — >r U — >p —{i — > z E — 
U{z -^z' \z E Fq U Fr and i — > z E — 

If the transition belongs to the first three sets 
then we are done, else we can assume x E Fq 

and i — x' E — >p i.e. y = x and x' E P. We 
have 



so x x' c E — >qp+rp and (x',x' c ) E S. Simi- 
larly, we can prove that if (x,y) E S and y y' 
then there exists x' such that {x'y 1 ) E S and 
x —> x' . Hence S is a bisimulation. 

• Left unfold [2j Let x* be a state in P* and x 
the corresponding state in the unfolded version 
(1+PP*) i.e. x is considered as a state of P. The 
rooted version of relation S = idp* U {(a;*, x)} is 
a rooted ?7-bisimulation from P* to 1 + PP* . 

• Left induction [3J as in (10), the proof is again 
similar to [9| because rooted ^-simulation are sta- 
ble by union. 

□ 

Proposition 24. (Aut, +, -,a\\, 1) satisfies equations 
(0- 1 13\) modulo rooted rj- simulation equivalence for 
any set of synchronisable actions A C £ (i.e. no 
probabilistic actions). 

Proof. = 1 follows directly from the definition 

of a\\ and the simulation used for the commutativity 
is UO; y), (2/: a;)) | x E P and y E Q}. 

© For associativity, we show that if (x, (y, z)) — ^> 
(x', (y', z')) E — ►fuikq^ia) then ((x,y),z) 
((x',y'),0 6 — >(p a \\q) a \\r- 



y',z 



y = 
{x',y) e 
((x,y),z) 

->(P A \\Q) A \\R 



z . 

PaWQ 

a ^ 

because 



(y',z'). Since 



- If a A, then 

* x — —> x' and 
So (x,y) 

and hence 
((x',y),z) E- 
a A. 

* or x — x' and (y, z) 
a(£ A: 

■ y — ^> y' and z = z', 
hence ((x,y),z) 
((x,y'),z) E — >( Pa \\q) a \\r, 

■ or y — y' and z — % z' 
and hence ((a;, y),z) 
((a;,y),z') E — > { p a \\q )a \\r. 

A, then a; x' and (y, z) — ^4 
Since a is again synchronised in 
y' and z —4 z'. So (x, y) — ^ 

>p a \\q and ncnce {{%,y)> z ) 



— If a E 

<2a||p, y - 



((x',y')^') €^(F A ||Q) A ||H. 

Since a|| is commutative, we deduce that 
-^{p a \\Q) a \\r=— >p a \\(Qa\\R) so the identity rela- 
tions could again be used for the simulation. 

To prove monotonicity, we consider the re- 
lation S : P A \\Q + P cA \\R ~+ Pa\\(Q + R) 
as in the case of multiplication i.e. S — 
{((x,y),{x,y)),((x c ,y),{x,y)) \ x e P Ay G QU 
R} and x c is the copy of the state x E P in Pq. 
Let ((xc,y), (x,y)) E 5 (the case ((x,y), (x,y)) E 
is easier and can be handled in the same way) 

and (x c ,y) (x^,y') E — ^p^HQ+p^ifl- By def- 
inition of +, that transition belongs to — ^Pa||Q 
or — >p a \\r- Since the first component is a copy 

that 



>QP C +RP 



z E Fq and i 



Z' E- 



of x, we have (x c ,y) 
is y,y' E R. 



{x' c ,y') E — > Pa \\r 



— if a £ A, then 

* x c x' c and y = y', so 
x — ^> x' G — >p and hence 
(x,y) (x',y) e — ►p a ||(q+h) 
and ((x£,, y), (x', y)) £ S by definition 
of S. 

* or x c = x' c and y — )■ y', so 
(x,y) (a;, y') G — > Pa \\( Q+ b.) and 
((x,y'),(x c ,y'))eS. 

— if a € A, then x c — — > x' c and y — ^ 
y G — 5-^.. So a; x' G — s-p and 
hence (x,y) (x',y') G — ^ikq+p) and 
(«,y'),(^yO)G^. 

Firstly notice that the set of states of 
(P\\Q)(P'\\Q') (where the frame A of the con- 
currency operator is left implicit) is a subset of 
(P x Q) U (P' x Q') which is in turn a subset 
of (PUP') x (Q U Q'). Hence we consider the 
injection id of the former set to the later one and 
the relation defined in Figure O We show that S 
is a simulation in our sense. 

- Since (i, i) = i is related to itself. In par- 
ticular, S is rooted because x' ^ i in the 
second set in the definition of S (resp. for 
the third set) and HCI. 

- Let (x,y) G (P\\Q){P'\\Q') such that 

(x,y) —^4 (x',y'). We have the following 
cases. 

* The transition is in — >p\\Qi m which 
case (x,y), (x',y') ePxQ. 

• if a ^ A then x — °^ x' G — >p 
and y — y' or x — x' and 

y — ^ y' G — >q. By definition of 
the sequential composition again, 
these transitions belong to — >pp> 
or — >qq> respectively. Hence 

(x,y) (x',y') G — >pp>\\qq>- 

■ if a G A then x x' G — >p and 
y — ^ y' G — >q. As in the previ- 
ous case, the considered transition 
exists in PP'\\QQ' 

* The transition is in — ^p>\\Q'— {{%,%)}■ 
This case is similar to the previous one 
because because x ^ i and y ^ i as 
states of P' and Q' respectively. 

* It is a linking transition i.e. (x, y) G 

Fp\\ Q and (x',y') G — >p>\\q>- 

Then x G Pp and y G Fq and we have 
two cases: 

■ if a A, then i — > x' G — >p' 
and y' = i or x' = i and 

i -^-> y' G — ^q'. In the first 
case, the definition of 5 implies 
that ((x',y'),(x',y)) G 5 and 

since a A, we have (x, y) — 
(x',y) G — >pp>\\qq>- Similarly for 
the other case. 

■ if a G A, then i — > x' G — >p> 
and i — > y' G — >q>. Then 
x — s> x G — >pp' and y — > 
y' e — >qq'. Hence (x,y) 
(x',y') G — >pp<\\qq>. 



* Let ((x' , i), (x',y)) G S" as in the 
above definition of S and (x',i) — — > 
(x",y")€^p 1Q ,. 

■ If a A, then x' x" G — >p' 
and y" = i or x' = x" and 
i — > y" G — >q'. In the first case, 

{x',y) (x",y) G — Kpp'Hqq' be- 
cause a ^ A and (x",y) G S* 
because y" = i. In the second 
case, y — y" G — >-qq' and hence 
(x',y) (x",y") G — >pp>\\qq> 

because x' — x" . 

■ If a G A, then x' x" G — >p' 

and i — ^> y" G — 5>q'. By definition 

of sequential composition, y — — > 
y" G — ► QQ' and since a e A, 

(x',y) (x",y") G — >pp'||QQ'. 

* The case ((i,y'), (x,y')) G S is similar. 
Let ((x, y), (u, v)) G S 1 such that (x,y) G 



P 



(P\\Q)(P'\\Q' 



That is, 



x G (Pp,-{i})Uo PiQ ,(( i ,i))Pp C (Pp,-{i})Uo P , 

and similarly for y. Hence, if tuple be- 
longs to id then we are done. Assume 
i x G — >pi and y = i (the other case 
is proved in exactly the same way), then 
u = x and v G Fq. Since (x,i) is a final 
state, we have Pqq' = (Pq' — {i}) UPq and 
x' G Pp' - {i}. Hence (u, w) G Ppp' x Pqq/. 

Finally, since simulation preserves reachability, 
the reachable part of (P||Q)(P'||Q') is simulated 
by the reachable part of PP'\\QQ'. 

□ 

Proposition 25. The sequential composition is (con- 
ditionally) continuous from the left and the right in 
Autf. That is, if (Pi)i is a <-directed set of fi- 



nite automata with limit P then sup i PiK 
supi PP = KP. 



PK and 



We denote Aut / the set of finite automata satisfy- 
ing the reachability and initiality conditions. Aut f is 
a subalgebra of Aut. The proof is similar to our proof 
in [9|. The only difference is from the manipulation 
of (because we do not have xO = in this setting) 
and hence Proposition is a generalised version of 
the continuity in [9]. 

Proof. We first define a notion of residuation on 
Aut / . For automata P and Q we define the automa- 
ton P/Q with initial state ip/Q = ip, final states 
Pp/Q = {x G P | Q < Pr}, where P x is constructed 
from P by making its initial state into x. We make 
the resulting automaton reachable by discarding all 
states not reachable from x. Notice that P x does not 
necessarily satisfy HCI. In this case, we unfold each 
transition from x once and isolate x but keeping a 
disjoint copy of it to make sure that the resulting au- 
tomata is bisimulation equivalent to the non-rooted 
version. 

We now show that RQ < P iff R < P/Q. As- 
sume S is a simulation from RQ to P. That means 
S generates a simulation from Q to P x for some x. It 
follows from the definition of P/Q that S generates a 
simulation from R to P/Q, since the state x become 



S = id U {((x',i), (x',y)) \ y e Fq and i a;' 6 — Kp> and i G Q'} 
U {((i, y'), (x, y')) \ x e F P and i y G — >q> and i G P'} 

Figure 7: Construction of the simulation to prove the interchange law. 



final state of G/H and they are images of the final 
states of K under the simulation generated by S. 

For the converse direction, suppose that S is a sim- 
ulation from R to P/Q. By Theorem [SJ multiplica- 
tion is isotone, hence RQ < (P/Q)Q, and it remains 
to show that (P/Q)Q <P. 

First, if Fp/Q is empty and then R has no final 
state either and RQ — R by definition of sequential 
composition. Hence RQ = R < P/Q < P. 

Assume Pp/Q is not empty and let S' be a simu- 
lation from RQ to (P/Q)Q. By construction of P/Q, 
we know that there exists a simulation S x from Q to 
P x for all final states x G Fp/Q. Moreover, there is 
a relation T : P/Q —> P satisfying all properties of 
simulation except the final state property, namely a 
restriction of the identity relation idp. We can show 
that T" = (U X S X ) U T is indeed a simulation from 
(P/Q)Q to P and S' o T' is a simulation from RQ to 
P. 

It then follows from general properties of Galois 
connections that (-H) is (conditionally) completely 
additive, hence right continuous. 

It remains to show left continuity. Let (Qi)i be a 
directed set of automata such that sup 4 Qi = Q and 
let P be any automaton. Then supj (PQi) < PQ 
because multiplication is monotone and it remains 
to show PQ < sup i (PQi). Let us assume that 
supj (PQi) < R. We will show that PQ < R. 

By definition of supremum, PQi < R for all i, 
hence there is a set of states Xi — {x G R \ Qi < R x }, 
that is, the set of all those states in R from which Qi 
is simulated. Obviously, Xi C Xj if Qj < Qi in the 
directed collection. But since R G Aut/ has only 
finitely many states, there must be a minimal set X 
in that directed set such that all Qi are simulated by 
R x for some x € X. Therefore Q = supi Qi < R x for 
all x G X. There exists a simulation Sx '■ PQi — > R 
for some i such that the residual automaton R/Qi has 
precisely X as its set of final states. We can thus take 
the union of Sx restricted to P with all simulations 
yielding Q < R x for all x G X and verify that this is 
indeed a simulation of PQ to R. □ 

We denote L(P) = {t | t is a tree and t < P} the 
tree language associated to P. We have 

Lemma 26. P < Q iff L(P) C L{Q). 

A specialized version of this theorem could be 
found in 0. In this paper, we prove it for our rooted 
^-simulation. 

Proof. By transitivity of simulation, we have P < 
Q implies L(P) C L(Q) so it suffices to show the 
converse. 

Let L(P) C L(Q) and consider the relation S : 
P -> Q such that (x, y) G S iff L(P K ) C L(Q y ), where 
Pa; is the automata constructed from P with initial 
state x as in the previous proof. We now show that 
the rooted version of S is a simulation. 

• Since L(P) C L(Q), we have (ip,ig) G 5 1 . 

• Let (a;, y) G 5 and a; G Pp, then I G L(P X ) C 
L(Q y ). Hence y G Pq. 



• Let (at, y) G S 1 , L(P X ) C L(Q y ) and x — — > at' be 
a transition of P. There are two cases: 

a) a is internal: for any tree t, at < t. Hence 
L(P x ,)CL(Q y ) i.e. {x',y)ES. 

b) a is external: assume for a contradiction 
that for each y' G Q such that y 

yi — > y' i: there exists t% G L(P X >) such 
that ^ L(Qy'). Since Q G Aut/, there 
are only finitely many such y-. By def- 
inition of 77-simulation, a(J2 i ti) G L(P X ) 
and from it follows from the hypothesis that 
a(E* k) G L(Q„) i.e. a(^ l t<j < Q y - It fol- 
lows from the definition of 77-simulation that 

there exists y'j such that y y\ — % y'^ and 

J2i ^ ^ 2/j which implies tj < J2i ti < a 
contradiction. 

• Making the relation S rooted does not affect the 
well-definedness of S as a simulation because the 
automata P, Q are rooted. 

□ 

Proposition 27. The concurrency operator \\ is 
(conditionally) continuous in Autj. 

Proof. We need to show that for any <-directed se- 
quence (Qi)i C Autf such that supi Qi = Q, we have 
supj(P||Qj) = P||Q, where the frame is left implicit. 
Firstly, we show that 

L(P||Q) =| (L(P)\\L(Q)) -I {t\\t' I * G L(P)At' G L(Q)} 

where 4- X is the down closure of X. Since || is mono- 
tone, t\\t' G L(P\\Q). Conversely, let t G L(P A \\Q). 
By unfolding P and Q up to the depth of t, we can 
find two tree tp,tQ such that t < tp\\tQ and hence 
tei(L(P)\\L(Q)). 
Secondly, we have 

L(P\\Q) = i {t\\t' \ t e P At' e Uji(Qj)} 
= iUi{t\\t' I tePAt'e L(Qj)} 
= u I 1 1 e P A e L(Qi)} 
= UiL(P\\Qi) 

and directedness ensures that L(Q) = UjL(Qj) PI 
Therefore, Lemma ensures that P\\Q = 

suPiiPWQi). " □ 

Remark 28. The following remarks ensures the ex- 
istence of an o function satisfying the properties listed 
in Section^ 

1. The axiom tt — r ensures that o(x) G {0, r, 1} 
for any leTj. If o(x) = then x will never ter- 
minate successfully. If o(x) = 1, then x may ter- 
minate successfully without the execution of any 

11 UiL{ C Q is obvious and the converse could be proven by 
showing that if t £ £(Q) and t ^ L{Qi) for every i, then there 
exists Q constructed from Q "minus" some part of t such that 
Qi < Q' < Q for any i. 



action 0, and if o(x) = t then x may terminate 
successfully after the execution of some action. 

2. The interpretation of o in the concrete model re- 
spects simulation. In fact, let P, Q be the au- 
tomata representing some terms in Ty, and S : 
P — >• Q be a simulation. After replacing each 
action in P, Q by t, S remains a simulation by 
Propriety (a) of Definition^ Therefore 

- if o(P) = 1 then the initial state of P is 
final and so is the initial state of Q, 

- if o(P) = t then the initial state of P leads 
to some final state and so is the initial state 
ofQ i.e. 1 < o(Q), 

- if o(P) = then we are done, 

and in all three cases o(P) < o{Q). Hence, it is 
safe to assume that o is well defined on T^ mod- 
ulo the axioms of weak concurrent Kleene alge- 
bra. In particular, o is monotonic with respect to 
the restriction of the natural order of the algebra 
on I . 

3. The last property o{x\\y) < o(x)o(y) is in gen- 
eral a strict inequality. For instance, if a, b are 
synchronised actions then o(a\\b) — o(0) = but 
o(a)o(b) — tt = T. 



In Aut, \— m reduces to language 



Proposition 29. 

equivalence. 

Remind that we assume there is only one non- 
trivial internal action, namely r, and it satisfies tt = 

T. 

Proof. Firstly, the language of the automata associ- 
ated to x is given by 

Tr{x) = {t | t is linear, loop-free, has only r as 
non-synchronised action and t < T x} 

where x < T y if there is a simulation between the 
automata represented by x and y such that all non- 
synchronised actions are replaced by r. This ensures 
for instance that Tr(f lip) = {r}. 

Remind that Tr(x\\y) = Tr(x) f~l Tr(y) because 
elements of Tr{x) are of the form hit or w (modulo 
the equivalence from < T ) where w is a word formed 
of synchronised actions only. 

For the direct implication, assume x C y and let 

-i may 

t e Tr(x). Then o(x\\t) ^ and since x\\t < y\\t, 
we have o(j/||i) ^ 0. Since t has synchronised actions 
only (or possibly ends with r) and o(j/p) ^ 0, then 
t €Tr(y) that is Tr(x) C Tr(y). 

Conversely, let Tr(x) C Tr(y) and z € 
Tr(x\\z) = Tr{x)C\Tr{z) C Tr(y)DTr{z) = Tr(y\\z). 
So if o(y||z) = then y\\z has no final state and hence 
Tr(y\\z) = {0}. Hence Tr(x\\z) = {0} i.e. x\\z has no 
final state that is 0(2; ||z) =0. □ 

B Specification of Rabin's Protocol. 

Remind that P(a, k) is the specification of a tourist 
in from of the door a £ {m, c} and has k written on 
his notepad (Figure [S]). 



A rigorous proof of this fact could be done by induction on the 
structure of x. 

13 A small difference from CSP is that we consider only words 
terminating to final states but since F x \\ y — F x X F y , we are safe 
to use most of the general properties found in CSP such as 

Tr(x\\y) = {t I t k g Tr(x) A t\ v € Tr(y)} 



alk 



[a:=a\ 




[k:=K+2] 



Figure 8: Interpretation of P(a, k) in term of au- 
tomata with imiplicit probability. 



Any action of the form [a] are considered internal. 
The symbol o denotes final states and • is a dead- 
lock state. In this protocol, deadlock state is used to 
specify that the tourist has come to a decision and 
the common place would be the value of a when the 
deadlock state is reached. 

Theorem 30. In the concrete model, the specification 
of Rabin's protocol satisfies 

S=[((P + Q)\\M)*((P + Q)\\Cy}* 

Firstly, notice that if • is (conditionally) continu- 
ous then x* = sup„ eN (l + x) n . The proof relies on 
the fact that /™(0) = (1 + x) n where f x (ij) = l + x-y 
and the result follows by taking the limit. 

Proof. The above property allows us to express x* 
as the limit of finite iterations of x interleaved with 
successful termination. We have 



(p + q)*\\(m + cy 



sup(l + P + Q) m \\ sup(l + M + C) n 

m n 

sup sup [(1 + P + Q) m \\(l + M + Cf 



The processes P and Q are essentially delimited by 
a!K and ot\K which ensures the following properties 
of the system 



X-A\\Y-B = [X\\Y] 
X-A\\l = 
Y-B\\l = 



\D] 



(17) 
(18) 
(19) 



for every processes A, B and where X = P + Q is the 
collection of tourists and Y = M + C is the collection 
of places. 

In particular, 

i||(i+at = i||(i+x)"- 1 +i||x-(i+x)' i = i\\{i+xy 



and by induction, since 1||1 = 1, 



l\\{l + X) n = 1 



(20) 



for every n € N. Similarly, 1||(1 + Y) n = 1. 

On the other hand, let us denote T m ^ n = (1 + 
X) rn \\{l + Y) n , then 

T m , n = [(l+xr-^+x-ii+x^-^w 

[(i + y) 1 *- 1 + y ■ (l + y)"- 1 ] 
= T m _ 1>n _ 1 + x ■ (i + x)™- 1 ||(i + r)"- 1 + 
(i + xy 1 - 1 ^ ■ (i + Y)" 1 - 1 + 

[X\\Y] ■ T m _i 

.n — 1 



C/ m _i,»_a = X^l + xr^HKl + F)"- 1 

= Um-l,n-2 + [X\\Y] ■ T m -i^ n -2 
= + [^||^] ' Im-l,n-3 + 



Since the sequence (1 + Y) n is monotone, T mj „ < 
T m ,ri for every n < n' and therefore U m -\.n-\ < 
£7 m _i o + [X||Y] • T m _i, n _i. But Property QJ implies 
that fXn-1,0 = 0. 

Similarly, Kn-i,n-i < [^ll^l • ^m-i.n-i- Hence 

T ro , n = (l + [X||Y]) 

-*m — l,n— 1 • 

By induction, we show that 



because To. n = T m o = 1 by Equation |2T)1 
Finally, we have 



where 



[X\\Y].T, 



T, 



(l + [X\\Y}) ini ( m '^ 



X*\\Y* 



supsup(l + X) m ||(l + r) 



su P (i + [x||y]) 



(X\\Y)* 



□ 



